As we approach the end of the academic year, here is a round up of the current technology threats directly affecting the SHASS community. Please feel free to flag this email for later reference or more detailed reading.
1) In addition to the usual SCAM EMAILS pretending to be from any number of financial, education, delivery, or commercial institutions, we’ve started seeing new scam emails that look like they’re coming from people at MIT. Some of these have taken the form of scam messages pretending to be “from IT” trying to get you to click on a link or download an attachment filled with viruses, ransomware, spyware, or malware.
Remember, no one at MIT will EVER send you an email to ask you to confirm, validate, verify, register, reactivate, surrender, or require you to click on a mysterious link that demands your credentials or other personal information and/or download an attachment. If you get one of these emails, DELETE it immediately.
2) FAKE WEB BROWSER ALERTS telling you that you’re INFECTED by bad stuff, malware, or viruses are on the rise. Some may try to get you to call a phone number where a bad guy tries to convince you to give them remote access to your computer. Others may try to get you to install a fake virus scanner that’s actually key loggers, spyware, or malware. Remember, all of these popup windows are fake. Never do anything these alerts tell you to do.
If your browser is hit by one of these, just quit out of the browse (force quit if necessary), shut down your computer, and turn it back on again. That should clear things out. Definitely contact us if you feel you’ve lost control of your computer and it appears to be doing things outside of your control.
3) PUBLIC WIFI (including MIT and MIT Guest) is NOT safe.
On the MIT campus, all on campus WiFi users should be connected to MIT Secure ONLY. Authenticate with your kerberos username and password to connect.
Most hotels, airports, convention centers, restaurants, and coffee shops offer free Public WiFi. These networks are NOT safe and all users should assume there could be bad actors embedded on these networks actively looking to intercept your internet activity.
Using public WiFi is fine for non-essential touristy activity like looking up reviews, restaurants, maps, traffic, or checking the weather.
You should NEVER pay your bills, access your bank accounts, or make purchases when connected to public WiFi. If you HAVE to conduct any activity where some confidential information is involved and you have no other options, ALWAYS run VPN first so your network traffic is encrypted. VPN is not an impenetrable shield but your internet activity no longer becomes low hanging fruit to the bad guys.
Information on MIT’s VPN can be found here:
4) HOSTILE CRIMINAL GROUP AND/OR STATE-SPONSORED CYBERATTACKS against our email servers, file servers, and Internet infrastructure are in full swing. Some of these attacks have spurred recent alerts from Homeland Security, the FBI, and the US Computer Emergency Readiness Team (US-CERT).
It is important to realize that any of us could be directly or indirectly affected by these attacks, so please make sure you MAINTAIN REGULAR BACKUPS of your data.
Use Drop Box. Use external HDs. Use Windows Backup or Apple’s Time Machine. Use IS&T’s CrashPlan. Use USB thumb drives. I always recommend users maintain 2 backups at any give time of their most important files and keep them at separate locations, one at home, one at work.
Remember, only YOU can prevent data loss.
5) Wi-Fi SECURITY FLAWS like the KRACK WiFi and the Meltdown and Spectre CPU exploits enable unauthorized users onto our private home networks or access confidential data. If you’re not renting a router from Comcast, Verizon, RCN, etc and/or you own your own router that’s more than 5 years old you may want to be thinking about buying a new router that is protected. CNET has a winners list of the best routers here:
https://www.cnet.com/topics/networking/best-networking-devices
Be sure to run Operating System Updates (Mac OS, Windows, etc) as they become available to make sure your operating system is patched against as many of these exploits as possible.
6) TELEPHONE SCAMS involving FAKE IRS/law enforcement warnings or demands for payment of debts. If you get one of these calls hang up immediately. If you get a voice mail from these scammers, DELETE it immediately. Give these scammers nothing.
All legitimate IRS issues involve first contact via USPS mail NEVER by phone. Local law enforcement do not make calls to shake people down for past debts.
The IRS has information on this scam here:
https://www.irs.gov/newsroom/tax-scamsconsumer-alerts
The FTC has information on bogus debt collection scams here:
https://www.consumer.ftc.gov/blog/2017/08/phantom-debt-collectors-impersonate-law-firms
An AARP article on con artists impersonating police:
https://www.aarp.org/money/scams-fraud/info-03-2013/beware-of-police-impostor.html
7) CREDIT CARD SKIMMERS are on the rise in MA at ATMs and Gas Station Credit Card readers. Not all skimmers are easy to spot and some gas station skimmers are installed out of sight of the customer. If you have doubts about any card reader you’re using, grab it gently and pull. False skimmer overlays usually easily pop off. If you pull off a skimmer, immediately report it to the authorities who own the machine. There are also skimming technology that cannot be seen.
For more information on card skimmers:
Card Skimmers In Massachusetts: How To Spot Them
https://patch.com/massachusetts/somerville/card-skimmers-massachusetts-how-spot-them
How to stop sophisticated new credit card skimmers
https://www.fox25boston.com/news/how-to-stop-sophisticated-new-credit-card-skimmers/558583203
Could you spot a credit card skimmer on a gas pump?
8) PASSIVE KEYLESS ENTRY systems found in cars (cars with push button start systems) have been under attack over the past several years with radios that are capable of intercepting and cloning the signal from the fobs. With the availability of cheaper technology, this tech allows a bad actor to access the car and drive off with it.
Key Fob cloning
https://www.youtube.com/watch?v=eMFDcCYVNeE
“Mystery Device” can unlock and start your car
https://www.youtube.com/watch?v=EE5Ygm0aFMk
“JUST A PAIR OF THESE $11 RADIO GADGETS CAN STEAL A CAR”
https://www.wired.com/2017/04/just-pair-11-radio-gadgets-can-steal-car
It is important to note that cars with turn key ignitions are not affected by this vulnerability as they do not use a fob that is constantly broadcasting the RFID signal that can be stolen.
Users who have vehicles that use passive keyless entry should place their fobs in an RFID protected bag or purse immediately after they exit and lock their vehicle. Drivers should also consider using vehicle immobilization tools like steering wheel or brake pedal locks (The Club, The Auto Lock, etc) that add obstacles to a thief’s ability to easily steal a car.
As Aldous Huxley said in his 1965 introduction to the radio version of his novel “Brave New World”: ““Eternal vigilance is not only the price of liberty; eternal vigilance is the price of human decency.”
The technological landscape is always changing so remember, there is no such thing as a dumb question. Please ask if you’re not sure and please have a sane and safe end of semester and academic year!
Cheers,
Albert